Moonpig jeopardizes data of millions of customers through insecure API
Moonpig, a large online seller of personalized greeting cards and gifts, shut down its mobile apps Tuesday because of a security weakness that could have given hackers access to customer information.
A developer named Paul Price found that Moonpig’s API (application programming interface), the online service used by the company’s mobile apps to interact with its website, lacked basic security features.
Price found that requests from Moonpig’s Android application to the API used a static set of credentials, regardless of customer account. The only thing that differentiated requests from different users was a customer ID included in the request URL.